Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6472
Views
37
Helpful
5
Replies

Enabling FIPS on ISE & potential impact

Go to solution
AFlack20
Level 1
Level 1

‎06-22-2022 03:25 PM - edited ‎06-22-2022 03:26 PM

Two part question here;

 

Customer has a two node ISE deployment (primary and secondary PAN) that need to have FIPS enabled for compliancy reasons.

First what are some of the potential issues that could arise from enabling FIPS mode within their production deployment?

Secondly they're currently running ISE 2.6 patch 7 and will be getting upgraded to 3.1.0 patch 3, should this upgrade take place prior to enabling FIPS?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎06-22-2022 05:19 PM

I don't envy you. If you're using TrustSec and/or SDA, then the traditional PAC provisioning will fail after enabling FIPS. This process uses TLS 1.0 and FIPs mode disabled it. I recall MAB also stops working since PAP is not allowed in FIPS. 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/admin_guide/b_ise_27_admin_guide/b_ISE_admin_27_basic_setup.html#ID395

"The certificates that are installed in Cisco ISE must be re-issued if the encryption method that is used in the certificates is not supported by FIPS.

When you enable the FIPS mode, the following functions are affected:

  • Lightweight Directory Access Protocol (LDAP) over SSL

Cisco ISE enables FIPS 140 compliance via RADIUS shared secret and key management measures. When the FIPS mode is enabled, any function that uses a non-FIPS-compliant algorithm fails.

When you enable the FIPS mode:

  • All non-FIPS compliant cipher suites are disabled for EAP-TLS, PEAP, and EAP-FAST.

  • All non-FIPS compliant cipher suites are disabled in SSH.

  • Certificates and private keys must use only FIPS-compliant hash and encryption algorithms.

  • RSA private keys must be 2048 bits or greater.

  • ECDSA private keys must be 224 bits or greater.

  • ECDSA server certificate works with only TLS 1.2.

  • DHE ciphers work with DH parameters of 2048 bits or greater for all ISE TLS clients.

  • 3DES ciphers are not allowed for Cisco ISE as a server

  • SHA-1 is not allowed for generating certificates.

  • SHA-1 is not allowed in client certificates.

  • The anonymous PAC provisioning option in EAP-FAST is disabled.

  • Local SSH server operates in FIPS mode.

  • The following protocols are not supported for RADIUS:

    • EAP-MD5

    • PAP

    • CHAP

    • MS-CHAPv1

    • MS-CHAPv2

    • LEAP

Once the FIPS Mode is enabled, all the nodes in the deployment are rebooted automatically. Cisco ISE performs a rolling restart by first restarting the primary PAN and then restarting each secondary node, one at a time. Hence, it is recommended that you plan for the downtime before changing the configuration."

View solution in original post

5 Replies 5

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎06-22-2022 05:19 PM

I don't envy you. If you're using TrustSec and/or SDA, then the traditional PAC provisioning will fail after enabling FIPS. This process uses TLS 1.0 and FIPs mode disabled it. I recall MAB also stops working since PAP is not allowed in FIPS. 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/admin_guide/b_ise_27_admin_guide/b_ISE_admin_27_basic_setup.html#ID395

"The certificates that are installed in Cisco ISE must be re-issued if the encryption method that is used in the certificates is not supported by FIPS.

When you enable the FIPS mode, the following functions are affected:

  • Lightweight Directory Access Protocol (LDAP) over SSL

Cisco ISE enables FIPS 140 compliance via RADIUS shared secret and key management measures. When the FIPS mode is enabled, any function that uses a non-FIPS-compliant algorithm fails.

When you enable the FIPS mode:

  • All non-FIPS compliant cipher suites are disabled for EAP-TLS, PEAP, and EAP-FAST.

  • All non-FIPS compliant cipher suites are disabled in SSH.

  • Certificates and private keys must use only FIPS-compliant hash and encryption algorithms.

  • RSA private keys must be 2048 bits or greater.

  • ECDSA private keys must be 224 bits or greater.

  • ECDSA server certificate works with only TLS 1.2.

  • DHE ciphers work with DH parameters of 2048 bits or greater for all ISE TLS clients.

  • 3DES ciphers are not allowed for Cisco ISE as a server

  • SHA-1 is not allowed for generating certificates.

  • SHA-1 is not allowed in client certificates.

  • The anonymous PAC provisioning option in EAP-FAST is disabled.

  • Local SSH server operates in FIPS mode.

  • The following protocols are not supported for RADIUS:

    • EAP-MD5

    • PAP

    • CHAP

    • MS-CHAPv1

    • MS-CHAPv2

    • LEAP

Once the FIPS Mode is enabled, all the nodes in the deployment are rebooted automatically. Cisco ISE performs a rolling restart by first restarting the primary PAN and then restarting each secondary node, one at a time. Hence, it is recommended that you plan for the downtime before changing the configuration."

Go to solution
AFlack20
Level 1
Level 1
In response to Damien Miller

‎06-22-2022 08:34 PM - edited ‎06-22-2022 08:35 PM

Hey Damien,

Really appreciate the response!

I do have a couple of follow up questions. What do you mean that LDAP over SSL will be affected? We're in the process of converting the customer to LDAPS from a basic ISE-AD integration, with the impression that this would be compliant with FIPS. 

As for the MAB what kind of work arounds if any are available? I understand MAB normally operates with PAP but cisco switches also support EAP, which I believe is EAP-MD5 (also not supported with FIPS...) surely there must be a compliant way to use MAB?

Lastly any recommendations in regards to upgrading ISE either before or after enabling FIPS?

0 Helpful

Go to solution
Marcelo Morais
VIP
VIP
In response to AFlack20

‎07-22-2022 05:49 AM

Hi @AFlack20 ,

 about " ... What do you mean that LDAP over SSL will be affected? ... ", because when FIPS Mode is enabled, any function that uses a non-FIPS-compliant algorithm fails, LDAP Client must use a TLS connection using FIPS 140-2

 about " ... As for the MAB what kind of work arounds if any are available? ... ", remember that 802.1x defines the encapsulation of the EAP which is known as EAPoL, MAB is used for devices that do not support 802.1X

 about " ... upgrading ISE either before or after enabling FIPS? ... ", IMO, upgrade 1st, test if everything is OK in the new version and then enable FIPS. Remember that after you enable FIPS Mode, you must reboot all other Nodes in the Deployment.

Hope this helps !!!

Go to solution
AFlack20
Level 1
Level 1

‎07-14-2022 06:23 PM - edited ‎07-14-2022 06:45 PM

Trying to enable fips in my lab and keep getting the following message.

fips.PNG

I've tried editing the the allowed protocols in the default device admin and default network access but with no success to getting fips to enable. Can anyone please decrypt the above message for me???

I've found additional information here

fips2.PNG

But this isn't clear to me as to what exactly needs to be configured.

Go to solution
AFlack20
Level 1
Level 1
In response to AFlack20

‎08-29-2022 02:56 PM

Was able to resolve the issue with enabling FIPS. Had to create a new discussion which brought to light an existing known bug. https://bst.cisco.com/bugsearch/bug/CSCvs70863

Posting here for those that might find this discussion in the future.

Customers Also Viewed These Support Documents